https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193133#M55559 <P>Simple - do an inputlookup of your csv and NOT that with the search that produces your list of installed patches. That should give you the entries which are in the csv but not in the data of your index.</P> <P>It should look something along the lines of</P> <PRE><CODE>| inputlookup your_csv NOT [search your_search | table name, patch] </CODE></PRE> <P>Try the subsearch alone with a <CODE>| format</CODE> at the end to see how the result is passed to the NOT of the inputlookup - it's a simple ((name=x AND patch=y) OR (name=a AND patch=b) ... ), which is exactly what you want for your NOT.</P> <P>Of course this only works if the column names are the same in your csv and the search, but that can easily be done with a rename if neccessary.</P> Mon, 06 Jul 2015 06:31:12 GMT jeffland 2015-07-06T06:31:12Z https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193132#M55558 <P>Hi</P> <P>I have a list of events about patches installed on my hosts (about 3k) which look like </P> <PRE><CODE>Hostname1, PatchId1 Hostname1, PatchId2 Hostname2, PatchId2 Hostname2, PatchId3 </CODE></PRE> <P>Also I have lookup with list of patches which should be installed on each hostname.<BR /> I know that some are hosts missing some patches and I need to find which hosts are missing which patches.</P> <P>Please help me to understand a way how to do this.</P> Mon, 06 Jul 2015 06:00:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193132#M55558 ArsenyKapralov 2015-07-06T06:00:13Z https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193133#M55559 <P>Simple - do an inputlookup of your csv and NOT that with the search that produces your list of installed patches. That should give you the entries which are in the csv but not in the data of your index.</P> <P>It should look something along the lines of</P> <PRE><CODE>| inputlookup your_csv NOT [search your_search | table name, patch] </CODE></PRE> <P>Try the subsearch alone with a <CODE>| format</CODE> at the end to see how the result is passed to the NOT of the inputlookup - it's a simple ((name=x AND patch=y) OR (name=a AND patch=b) ... ), which is exactly what you want for your NOT.</P> <P>Of course this only works if the column names are the same in your csv and the search, but that can easily be done with a rename if neccessary.</P> Mon, 06 Jul 2015 06:31:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193133#M55559 jeffland 2015-07-06T06:31:12Z https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193134#M55560 <P>Thank you</P> <P>But I think this search will only find first match and it will not show correct results for thousand of hosts for each one. How can I do this?</P> Fri, 18 Sep 2015 15:57:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193134#M55560 ArsenyKapralov 2015-09-18T15:57:37Z https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193135#M55561 <P>Have you tried switching the main and the subsearch then?</P> Mon, 21 Sep 2015 08:41:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-which-hosts-are-missing-patches-using-a-lookup/m-p/193135#M55561 jeffland 2015-09-21T08:41:25Z